Azure Site-2-Site to Meraki MX65W

JackInSights
Just browsing

Azure Site-2-Site to Meraki MX65W

I have created a policy based S2S VPN through to Meraki. I manages to connect for about a minute before the connection is dropped by Azure side. The VPN health pages from both Azure and Meraki confirm the connection is connected but I am unable to pass data through the VPN.

 

Meraki Logs:

Aug 22 16:02:28		Non-Meraki / Client VPN negotiation	msg: IPsec-SA expired: ESP/Tunnel (IP ADDRESS REMOVED FOR FORUM POST)[500]->(IP ADDRESS REMOVED FOR FORUM POST)[500] spi=20513400(0x1390278)
Aug 22 16:02:28		Non-Meraki / Client VPN negotiation	msg: (IP ADDRESS REMOVED FOR FORUM POST) give up to get IPsec-SA due to time up to wait.
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Tunnel (IP ADDRESS REMOVED FOR FORUM POST)[500]->(IP ADDRESS REMOVED FOR FORUM POST)[500] spi=1719290698(0x667a4b4a)
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Tunnel (IP ADDRESS REMOVED FOR FORUM POST)[500]->(IP ADDRESS REMOVED FOR FORUM POST)[500] spi=246369293(0xeaf4c0d)
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: not matched
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: ISAKMP-SA established (IP ADDRESS REMOVED FOR FORUM POST)[500]-(IP ADDRESS REMOVED FOR FORUM POST)[500] spi:2fc20dbf268e2691:9f77ad7ee133a1b9
Aug 22 16:02:22		Non-Meraki / Client VPN negotiation	msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY

 

Settings:

! [2] IPsec/IKE parameters
!
!   > IKE version:             IKEv2
!     + Encryption algorithm:  aes-cbc-256
!     + Integrityalgorithm:    sha1
!     + Diffie-Hellman group:  2
!     + SA lifetime (seconds): 3600
!     + Pre-shared key:        REMOVED
!     + UsePolicyBasedTS:      False
!
!   > IPsec
!     + Encryption algorithm:  esp-gcm 256
!     + Integrity algorithm:   
!     + PFS Group:             none
!     + SA lifetime (seconds): 3600

This matches up with the Azure preset in the Meraki S2S setup page. 

 

We have had the exact same setup completed with a Meraki MX64 for another client which works fine. We have compared line by line that config to this new one but unable to find any differences bar the usual IP addresses and PSK. 

3 Replies 3
Happiman
Building a reputation

@JackInSights 

 

Have you requested to turn on IKEv2 on your network?

 

"Please note that IKEv2 is only supported on MX Security Appliances that are running firmware version 15.12 or higher. This version of IKE must also be enabled by Cisco Meraki support in order to function."]

PhilipDAth
Kind of a big deal
Kind of a big deal

It will probably be easier to change to use IKEv1 in Azure.

JackInSights
Just browsing

It is currently setup like this at the moment. Policy-based VNG but having no luck.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels